Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator.
The bug is not as bad as it sounds, as the malicious website still needs to get the user's permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user's knowledge.
[...] In a private conversation, Bar-Zik told Bleeping Computer he discovered the bug at work while dealing with a website that ran WebRTC code.
[...] When a website receives this permission, it can run JavaScript code that records audio or video content, before sending it over the Internet to the other participants of an WebRTC stream. This recording process is done via the JavaScript-based MediaRecorder API.
[...] Because the permission to access audio and video data was granted for an entire domain, the Israeli developer realized he could start a headless Chrome window (popup) where he could run the code to record audio and video.
Because Chrome shows the red circle and dot icon in a window's tab, the icon doesn't appear for the popup because this headless window doesn't have a tab bar.
Source: BleepingComputer
(Score: 0) by Anonymous Coward on Thursday June 01 2017, @07:10AM (6 children)
When the server world, "headless" means without keyboard, monitor and often graphics card. How can a browser window run "headless"?
(Score: 2) by coolgopher on Thursday June 01 2017, @07:55AM
Headless browsers are frequently used for automated testing. There's a nice list of options (and levels of headless) over here [github.com].
I am not sure what "headless" means in the context of this particular article summary however.
(Score: 0) by Anonymous Coward on Thursday June 01 2017, @07:57AM (1 child)
Tabless.
(Score: 0) by Anonymous Coward on Thursday June 01 2017, @08:03AM
Tabless windows seem to work the same way in Firefox also.
(Score: 2) by kaszz on Thursday June 01 2017, @09:32AM
I thought it was headless to have such featu^H^Hbug! that allows funny alphabet combination to retrieve data .. :-)
(Score: 0) by Anonymous Coward on Thursday June 01 2017, @08:57PM
Huh, its almost as if different groups use the same words to mean different things.
That certainly can't be the case.
https://en.wikipedia.org/wiki/Metallicity [wikipedia.org]
https://en.wikipedia.org/wiki/Metal_(API) [wikipedia.org]
https://en.wikipedia.org/wiki/Heavy_metal_music [wikipedia.org]
(Score: 2) by edIII on Thursday June 01 2017, @11:13PM
curl
That's how a browser runs headless :)
(or at least while operating "headless")
Technically, lunchtime is at any moment. It's just a wave function.
(Score: -1, Troll) by Anonymous Coward on Thursday June 01 2017, @07:14AM (1 child)
Jew thinks he found a bug and he exploits the opportunity to showcase his leet skillz.
While the "bug" is how things were designed and are working as expected, jew still believes he found a bug.
There is no bug, only a cunning exploit of a design. That is how the jew operates. Beware of the jew and all his friends.
(Score: -1, Offtopic) by Anonymous Coward on Thursday June 01 2017, @08:13AM
With Jews you lose!
(Score: -1, Spam) by Anonymous Coward on Thursday June 01 2017, @08:05AM (1 child)
I DON'T NEED A REASON TO KILL MYSELF
(Score: -1, Spam) by Anonymous Coward on Thursday June 01 2017, @08:24AM
"Allie, he came in my mouth, and then he tried to beat the shit out of me because I wanted to tell you. You know... It was an accident. But... He deserved it."
"Did you know that identical twins are never really identical. There's always one who's prettier. And the one who's not does all the work. She used me, and... Then she left me. Just like you. "
"Well, he will cheat on you again. That's a promise. And when he does, don't come running to me, okay? Because I've had it with you. You're so fucking weak! "
(Score: 2) by kaszz on Thursday June 01 2017, @09:29AM (2 children)
Either they fix this or they are complicit. Not that it would be any surprise from established facts.
(Score: 0) by Anonymous Coward on Thursday June 01 2017, @11:58AM (1 child)
Electrical tape. Problem solved.
(Score: 2) by edIII on Thursday June 01 2017, @11:18PM
Nope. Still have audio. Solving it permanently would involve a physical bypass, LED indicator, and the ability to connect to the honey pot [youtube.com] when it is turned off. That way anybody trying to surreptitiously record you gets fake audio and video.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by anubi on Thursday June 01 2017, @10:57AM (2 children)
The only way I know for sure if the camera or microphone is on is to have a physical LED monitoring the power provided to the analog amplifiers or the camera.
If the computer is gating power to the camera, the LED comes on. No way in software to spoof it. No camera power, no picture. Same with the mic.
Remember those old-school modems? Their LED displays let you know when they were sending data. Whether the program author wanted this or not.
Once you have software running the indicators, it can be spoofed.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by leftover on Thursday June 01 2017, @03:04PM (1 child)
Use a USB camera, keep it unplugged.
If it is plugged in, assume it is playing on
the New York Times billboard.
Bent, folded, spindled, and mutilated.
(Score: 2) by bob_super on Thursday June 01 2017, @05:31PM
The New York Times billboard? I hope you didn't mean that in the same you could have said "your grandma's TV".
Because for many people, controlling a giant screen on Times Square isn't exactly an incentive to behave like at Sunday mass.
(Score: 1) by noneof_theabove on Thursday June 01 2017, @09:00PM
those strange sounds coming mainly from commercials, but some shows, on the tv.
All this "advertising" crap has to stop.
I like what Bill Maher said [paraphrased] - you do police sirens and I flush all the good stuff I was enjoying....I'm coming after you.